The games company Valve Corporation known primarily for their gaming client Steam have updated it to resolve a critical vulnerability which has been inadvertently present within Steam for the last 10 years.
Why should this vulnerability be considered important?
Due to the many millions of Steam users and the fact this vulnerability is remotely exploitable (since the attacker does not need to first have access to the victim system) makes this vulnerability more serious. An attacker would only have needed to send malformed UDP (defined) packets to a victim system for it to have Steam carry out instructions of their choice.
This vulnerability was a buffer overflow (defined) within one of Steam’s internal libraries (the general concept of a code library is defined here); more specifically code that dealt with UDP datagram reassembly.
How can I protect myself from this vulnerability?
In July 2017, the Steam client added Address Space Layout Randomisation (ASLR)(defined) making exploitation of the vulnerability more difficult which would then only crash the Steam client. If however an attacker combined an information leak which exposed the memory address of vulnerable library, even with ASLR enabled the result would have been the same.
Valve patched this vulnerability on April 4th. The Steam client by default updates automatically. Please open it and allow it to update to resolve this vulnerability.
Thank you.
securityinaction 